Shuangpeng Bai

Ph.D. Candidate
College of Information Sciences and Technology
The Pennsylvania State University

E-mail: baisp at psu dot edu

Short Bio: I am a second-year Ph.D. candidate at Penn State University, advised by Prof. Hong Hu. Before joining Penn State University, I obtained my Bachelor's degree from Beijing Jiaotong University and Master's degree from University of Chinese Academy of Sciences. My research interests include Operating System Security, especially vulnerability detection and exploitation.


  1. DSS: Discrepancy-Aware Seed Selection Method for ICS Protocol Fuzzing Website Paper
    Shuangpeng Bai, Hui Wen, Dongliang Fang, Yue Sun, Puzhuo Liu, and Limin Sun
    In The 19th International Conference on Applied Cryptography and Network Security (ACNS 2021). [Acc Rate: 19.9%]
  2. Industrial Control System (ICS), as the core of the critical infrastructure, its vulnerabilities threaten physical world security. Mutation-based black-box fuzzing is a popular method for vulnerability discovery in ICS, and the diversification of seeds is crucial to its performance. However, the ICS devices are dedicated devices whose programs are challenging to get, protocols are unknown, and execution traces are hard to obtain in real-time. These restrictions impede seed selection, thereby reducing the efficiency of fuzzing. Therefore, it has become our primary goal to select a high-quality seed set containing as few seeds as possible with extensive triggered traces. In this paper, we present a novel automatic seed selection method called DSS, selecting high-quality seeds for improving fuzzing efficiency. The method is based on the observation that dissimilar response messages are generated by different device execution processes in most cases, which helps us build the connection of messages discrepancy and execution traces discrepancy to guide DSS. Expressly, we point out that dissimilar messages are effective indicators of different execution paths. Therefore, choosing ICS messages with high discrepancy as seeds can bring more initial execution traces and fewer seeds with the same semantic, which are essential to black-box fuzzing. Our experiments show that the quantity of seeds selected by DSS is significantly less than the traditional method when achieving the same trace coverage.